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1 DETAILED ACTION 

2 

3 Continued Examination Under 37 CFR 1. 1 14 

4 

5 A request for continued examination under 37 CFR 1.114, including the fee set 



6 forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 

7 application is eligible for continued examination under 37 CFR 1.114, and the fee set 

8 forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 

9 has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 9/21/06 
1 0 has been entered. 

11 

1 2 Claims 1 - 1 2, 1 4 - 22, 24 - 29 are pending. 

1 3 All objections and rejections not set forth below have been withdrawn. 



14 

1 5 Claim Rejections - 35 USC §112 

16 

17 The following is a quotation of the second paragraph of 35 U.S.C. 112: 

1 8 The specification shall conclude with one or more claims particularly pointing out and distinctly 

1 9 claiming the subject matter which the applicant regards as his invention. 
20 

21 Claims 1 -12, 14-22, 24 - 29 are rejected under 35 U.S.C. 112, second 



22 paragraph, as being indefinite for failing to particularly point out and distinctly claim the 

23 subject matter which applicant regards as the invention. 
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1 Specifically, claims 1, 8, and 18, each comprise the limitation (or essentially 

2 . similar), "requesting that the user computer resubmit the request". However, the 

3 examiner notes that if a submitted request is a malicious request, then according to the 

4 applicant's original disclosure, the user computer is requested to send a non-malicious 



5 request - not the malicious request. Thus, this limitation is ambiguous as the claims 

6 suggest that a malicious request is being resubmitted. 

7 Depending claims are rejected by virtue of dependency. 
8 

9 

1 0 Claim Rejections - 35 USC § 103 

11 

1 2 The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 

1 3 obviousness rejections set forth in this Office action: 

14 (a) A patent may not be obtained though the invention is not identically disclosed or described as set 

1 5 forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 

1 6 the prior art are such that the subject matter as a whole would have been obvious at the time the 

1 7 invention was made to a person having ordinary skill in the art to which said subject matter pertains. 

1 8 Patentability shall not be negatived by the manner in which the invention was made. 

19 

20 Claims 1 - 12, 14-22, 24- 29 are rejected under 35 U.S.C. 103(a) as being 



21 unpatentable over CERT CC, "CERT Advisory CA-2000-02 Malicious HTML Tags 

22 Embedded in Client Web Requests" (CERT-Advisory) in view of CERT CC, 

23 "Understanding Malicious Content Mitigation for Web Developers" (CERT) in view 

24 of Wheeler. Secure Programming for Linux and Unix HOWTO . 

25 

26 Regarding claim 8, CERT-Advisory discloses: 
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1 receiving an HTTP request at a server computer, wherein the HTTP request 

2 includes input data that was not generated by the server computer (CERT-Advisory, 

3 page 1 , Systems Affected, Overview; page 2, pars. 2-4). 

4 CERT-Advisory discloses, in general, that the Server site attempts to filter the 

5 incoming HTTP request according to the criteria of removing dangerous meta- 

6 characters, so as to prevent their sites from being attacked, "abused", by malicious data 

7 or a cross-site scripting attack (CERT-Advisory, page 5, Solutions for Web Page 

8 Developers and Web Site Administrators). While one of ordinary skill in the art would 

9 rightly and easily conclude from the context of CERT-Advisory that the incoming meta- 

10 characters being filtered are being evaluated against known scripting constructs or 

1 1 characters, CERT-Advisory does not explicitly say the evaluation is to determine if the 

1 2 input data includes a script construct, wherein the script construct indicates that HTTP 

1 3 request is part of a cross-site scripting attack. Instead, CERT-Advisory directs the 

14 readers' attention to the detailed solution (found in CERT) for preventing cross-site 

15 scripting attacks in response to receiving HTTP requests comprising malicious scripts. 

16 CERT discloses the specifics for mitigating cross-site scripting attacks by 

1 7 evaluating the incoming data requests to determine the presences of dangerous meta- 

18 characters, indicating the presence of malicious scripts (CERT, page 1 , par. 1 , Problem 

19 Summary, pars. 2-3; page 2, Mitigation Summary; page 3, Identifying the Special 

20 Characters; page 4, Filtering Dynamic Content). CERT, thus clearly demonstrates that 

21 the filtering of input data for dangerous meta-characters is an evaluation of the 

22 presence of malicious script constructs. 



Application/Control Number: 10/600,683 Page 5 

Art Unit: 2137 

1 It would have been obvious to one of ordinary skill in the art to combine the 

2 teachings of CERT, for evaluating input data for script constructs - in addition to other 

3 specific teachings of CERT for mitigating cross-site scripting attacks - with the system of 

4 CERT-Advisory. This would have been obvious because CERT-Advisory explicitly says 

5 to include the reference of CERT so as to successfully mitigate cross-site scripting 

6 attacks (CERT-Advisory, page 5, par. 6). 

7 The combination of CERT-Advisory and CERT discloses refusing to dynamically 

8 render a response to the HTTP request if the input data includes a script construct 

9 (Examiner Notes: The applicant's originally disclose that a server, in response to the 

10 malicious request will serve an informative response to the user indicating an error and 

1 1 requesting that the user submit a non malicious request. Thus, the examiner interprets 

12 the applicant's limitation refusing to dynamically render a response to mean refusing to 

13 execute the HTTP request, as the applicant have originally disclosed.) (CERT- 

14 Advisory, pg. 1, "Overview"; pg. 2, "Malicious code sent inadvertently by a client for 

15 itself; CERT, pg. 1, par. 1; pg. 2-4, "Mitigation Summary"). Herein, prior art discloses 

16 that if the input data includes a script construct, refusing to execute HTTP request and 

17 thereby preventing the cross-site scripting attack if the input data includes a script 

18 construct. Malicious HTTP requests are not executed. Furthermore, the combination 

19 discloses filtering and encoding to remove malicious scripts and data for every HTTP 

20 request. 

21 The combination does not disclose informing the user that a marker of active 

22 content has been discovered in the request and requesting that the user computer 
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1 resubmit the request and subsequently serving a response to a request resubmitted by 

2 the user computer. 

3 Wheeler, in response to the problem of cross-site scripting attacks and building 

4 upon the prior art teachings of CERT (Wheeler, 4. 1 0, 6. 1 5, 6. 1 5. 1 - 6. 1 5.2. 1 , 8.5), 

5 teaches that a system in practice may forbid markers of active content and send 

6 informative error messages to users who include them in requests. A system could 

7 notify the user of ways to correct such issues (Wheeler, 4.11.6, par. 2; 4.11.1; 4.11.3, 

8 par. 5; 4.12, par. 5). 

9 It would have been obvious to one of ordinary skill in the art to employ the 

1 0 teachings of Wheeler along with the teachings of the combination of CERT and CERT- 

1 1 Advisory. This would have been obvious because one of ordinary skill in the art would 

1 2 have been motivated by the explicit suggestions found within the prior art when 

1 3 practically implementing a solution to mitigate malicious scripting attacks. 
14 

15 Regarding claim 9, the combination disclose: 

1 6 at least one of: receiving a query string that includes at least one query string 

1 7 variable; receiving a cookie; receiving one or more headers in the HTTP request; and 

18 receiving one or more form fields (CERT-Advisory, page 2, pars. 2-5; CERT, page 2, 

19 Mitigation Summary). 
20 

21 Regarding claim 10, the combination disclose: 
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1 at least one of: searching the HTTP request for one or more character 

2 combinations that correspond to a script construct; searching the HTTP request for an 

3 event that includes a script construct; searching server variables that derive input data 

4 from another source; and searching the HTTP request for an expression that includes a 

5 script construct (CERT, page 3, Identifying the Special Characters; page 4, Filtering 

6 Dynamic Content). 
7 



8 Regarding claim 1 1 , the combination disclose: 

9 searching the input data for a script construct (CERT, page 3, Identifying the 
10 Special Characters; page 4, Filtering Dynamic Content). 

11 

12 Regarding claim 12, the combination disclose: 

13 searching for patterns associated with scripts (CERT, page 3, Identifying the 

14 Special Characters; page 4, Filtering Dynamic Content). 
15 

16 Regarding claim 14, the combination disclose: 

1 7 wherein preventing the cross-site scripting attack if the input data includes a 

1 8 script construct further comprises logging an event at the server computer (Wheeler, 

19 8. 1 ; 1 0.9; 1 0. 1 1 ). Herein, the combination disclose that a server generates a detailed 

20 log of events regarding system successes and failures, in addition to sending a 

21 response back to the user regarding the event - such as why there was a failure. 
22 
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1 Regarding claim 15, the combination of CERT-Advisory, CERT, Hidalgo, and 

2 Fielding disclose: 

3 encoding the user input including the script construct to render the script inert 

4 (CERT-Advisory, page 2, par. 1; page 5, pars. 3-6; CERT, page 3, Identifying the 

5 Special Characters; page 4, par. 2). 
6 

7 Regarding claim 16, the combination of CERT-Advisory, CERT, Hidalgo, and 

8 Fielding disclose: 

9 evaluating the HTTP request to determine in the input data includes a marker of 

10 active content (CERT, page 2, Mitigation Summary - particularly steps 2 and 4; page 3, 

1 1 Identifying the Special Characters). 
12 

13 Regarding claim 17, the combination of CERT-Advisory, CERT, Hidalgo, and 

14 Fielding disclose: 

1 5 determining if the marker of active content is within a particular element, wherein 

1 6 the marker of active content is harmful only when rendered within the particular element 

17 (CERT, page 2, Mitigation Summary - particularly steps 2 and 4 (identifying special 

1 8 characters, filtering specific characters in dynamic elements; page 3, Identifying the 

1 9 Special Characters). 
20 
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1 Regarding claims 1 - 3, 5 - 7, 18 - 22, 24, and 25, they are method and method 

2 embodied on computer readable medium claims corresponding to the system claims 1 - 

3 17, and they are rejected, at least, for the same reasons. 
4 

5 Regarding claim 4, the combination disclose: evaluating only a portion of the 



6 request that includes the data derived from an outside source (CERT, page 2, Mitigation 

7 Summary; Wheeler, sect. 4, par. 1, 12). The combination of CERT-Advisory and CERT 

8 discloses the need to evaluate data comprising untrusted input that could be transmitted 

9 in an HTTP request. 
10 

1 1 Regarding claim 26, the combination enables: 

1 2 wherein determining if the request from the user computer includes a marker of 

1 3 active content comprises evaluating only user input fields of the request (CERT, page 2, 

14 Mitigation Summary; Wheeler, sect. 4, par. 1, 12). The combination of CERT-Advisory 

15 and CERT discloses the need to only evaluate data comprising untrusted input that 

16 could be transmitted in an HTTP request. Thus, it is obvious that if the only untrusted 

1 7 input of a request comprises user input fields, then the combination would evaluate the 

18 user input fields. 
19 

20 Regarding claim 27, the combination discloses maintaining a list of markers of 

21 active content (Cert, pg. 4, 5). The combination does not disclose inactivating markers 

22 in the list of markers. However, the notion of updating/modifying a list used in 



Application/Control Number: 10/600,683 Page 10 

Art Unit: 2137 

1 performing security checks was known and would have been obvious to one of ordinary 

2 skill in the art. One of ordinary skill in the art would have been motivated to modify the 

3 list [such as by "inactivating" list elements] as it would enable for a more flexible or 

4 customizable system. For evidentiary teachings of customizable systems that prevent 

5 cross-side scripting attacks, the applicant may refer to any of the cited prior art, 

6 including Scott et al., "Abstracting Application-Level Web Security" (pg 1 :col. 2:par. 3; 

7 pg. 3:col. 2:par. 1; pg. 6:col. 1:par. 1) or Sirer et al., "An Access Control Language for 

8 Web Services (pg. 1:col. 2:par. 1; pg. 4:col. 2:par. 2). 
9 

10 Regarding claim 28, the combination discloses: 

1 1 wherein evaluating the HTTP request to determine if the input data includes a 

1 2 script construct comprises evaluating the HTTP request for an event (Wheeler, sect. 

13 4.1 1 .3, box of attack types). Herein, the combination teaches to test for events, such as 

14 'onmousover' events. It does not disclose onclick events, however, one of ordinary skill 

1 5 in the art would have recognized that an 'onclick' events similarly introduce scripts such 

16 as 'onmouseover' events (applicant may refer to evidence such as W3C 

1 7 Recommendation, "Scripts") and would have been motivated to test for malicious 

18 constructs. 
19 

20 Regarding claim 29, the combination discloses: 
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1 wherein evaluating the HTTP request to determine if the input data includes a 

2 script construct comprises evaluating the HTTP request for an element size expression 

3 (Wheeler, sect. 4. 1 1 .3, box of attack types). 
4 

5 Response to Arguments 

6 

7 Applicant's arguments filed 9/21/06 have been fully considered but they are not 

8 persuasive. 
9 

10 Applicants argue primarily that: 

1 1 (i) For example, among other things, CERT I, CERT II and Hidalgo fail to disclose or 

1 2 suggest refraining from serving a response to the request if the request includes the 

1 3 marker of active content, and instead serving a response only to a request resubmitted 

1 4 by the user computer, as recited in combination with the other claim elements. 

1 5 In fact, and in direct contrast to the above claims, CERT I and CERT II 

1 6 specifically teach that rather than aborting the request so as to refrain from serving a 

1 7 response, the request is processed and a response is in fact returned. (Remarks, pg. 

18 13). 
19 

20 First, the examiner notes, in response to applicant's arguments against the 

21 references individually, one cannot show nonobviousness by attacking references 

22 individually where the rejections are based on combinations of references. See In re 
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1 Keller, 642 F.2d 41 3, 208 USPQ 871 (CCPA 1 981 ); In re Merck & Co., 800 F.2d 1 091 , 

2 231 USPQ 375 (Fed. Cir. 1986). 

3 Second, in response to applicant's argument that the references fail to show 

4 certain features of applicant's invention, it is noted that the features upon which 

5 applicant relies (i.e., serving a response only to a request resubmitted by the user 

6 computer) are not recited in the rejected claim(s). Although the claims are interpreted in 

7 light of the specification, limitations from the specification are not read into the claims. 

8 See In re Van Geuns, 988 F.2d 1 181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

9 Third, in light of the applicant's allegation of a "direct contrast" between the prior 

10 art and the applicant's invention, the examiner points out that "returning a response" to 

1 1 the user computer upon submission of a malicious request, is in fact the prior disclosure 

12 of the applicant (ex. see Specification, previously claimed 8). As does the applicant, 

13 prior art discloses returning a response upon reception of a malicious request, wherein 

14 at no time are malicious requests executed. 
15 



16 Applicant's arguments with respect to claims 1 - 29 have been considered but are 

1 7 moot in view of the new ground(s) of rejection. 
18 

1 9 Conclusion 

20 

21 The prior art made of record and not relied upon is considered pertinent to 

22 applicant's disclosure: 
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1 See Notice of References Cited 

2 

3 A shortened statutory period for reply to this final action is set to expire THREE 

4 MONTHS from the mailing date of this action. In the event a first reply is filed within 

5 TWO MONTHS of the mailing date of this final action and the advisory action is not 

6 mailed until after the end of the THREE-MONTH shortened statutory period, then the 

7 shortened statutory period will expire on the date the advisory action is mailed, and any 

8 extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 

9 the advisory action. In no event, however, will the statutory period for reply expire later 

1 0 than SIX MONTHS from the date of this final action. 

1 1 Any inquiry concerning this communication or earlier communications from the 

12 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

13 7965. The examiner can normally be reached on 8:30-5:00. 

14 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

15 supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 

16 number for the organization where this application or proceeding is assigned is 571- 

17 273-8300. 
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Information regarding the status of an application may be obtained from the 



2 Patent Application Information Retrieval (PAIR) system. Status information for 

3 published applications may be obtained from either Private PAIR or Public PAIR. 

4 Status information for unpublished applications is available through Private PAIR only. 

5 For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

6 you have questions on access to the Private PAIR system, contact the Electronic 

7 Business Center (EBC) at 866-21 7-91 97 (toll-free). If you would like assistance from a 

8 USPTO Customer Service Representative or access to the automated information 

9 system, call 800-786-91 99 (IN USA OR CANADA) or 571 -272-1 000. 
10 

11 

12 J.Williams ^ s?s 



13 
14 
15 
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